Google Git
Sign in
apache / linkis / refs/tags/1.3.1^! / .
commit8e804ff2e3c2ef55b92a206c38b6a9925f466670[log] [tgz]
authoraiceflower <kinsanities@sina.com>Thu Jan 12 20:22:50 2023 +0800
committerGitHub <noreply@github.com>Thu Jan 12 20:22:50 2023 +0800
tree8c72573279d9a6c97458fcf50d0797e8559458a4
parenta652276961e39a6e0d6f79698e2b082a72f160d1 [diff]
deal with url encode (#4113)


diff --git a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
index 5333b24..f7158b4 100644
--- a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
+++ b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java

@@ -23,6 +23,8 @@
 
 import org.apache.commons.lang3.StringUtils;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
@@ -93,6 +95,12 @@
     if (StringUtils.isBlank(url)) {
       throw new LinkisSecurityException(35000, "Invalid mysql connection cul, url is empty");
     }
+    // deal with url encode
+    try {
+      url = URLDecoder.decode(url, "UTF-8");
+    } catch (UnsupportedEncodingException e) {
+      throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+    }
     if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
       logger.info("checkJdbcSecurity target url: {}", url);
       return url;
@@ -126,6 +134,18 @@
       return paramsMap;
     }
 
+    // deal with url encode
+    String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
+    try {
+      paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
+    } catch (UnsupportedEncodingException e) {
+      throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+    }
+
+    Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
+    paramsMap.clear();
+    paramsMap.putAll(newParamsMap);
+
     Iterator<Map.Entry<String, Object>> iterator = paramsMap.entrySet().iterator();
     while (iterator.hasNext()) {
       Map.Entry<String, Object> entry = iterator.next();

diff --git a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
index 9d4893e..4fdca7b 100644
--- a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
+++ b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java

@@ -91,6 +91,15 @@
           SecurityUtils.checkJdbcSecurity(atomUrl.get());
         });
 
+    // url encode
+    url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
+    atomUrl.set(url);
+    Assertions.assertThrows(
+        LinkisSecurityException.class,
+        () -> {
+          SecurityUtils.checkJdbcSecurity(atomUrl.get());
+        });
+
     // value is not security
     url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
     atomUrl.set(url);
@@ -118,6 +127,11 @@
     Assertions.assertEquals("v1", newMap.get("p1"));
 
     // key not security
+    paramsMap.put("allowLocalInfil%67", "true");
+    SecurityUtils.checkJdbcSecurity(paramsMap);
+    Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));
+
+    // key not security
     paramsMap.put("allowLocalInfile", "false");
     Assertions.assertThrows(
         LinkisSecurityException.class,
@@ -134,6 +148,15 @@
           SecurityUtils.checkJdbcSecurity(paramsMap);
         });
 
+    // value not security
+    paramsMap.clear();
+    paramsMap.put("p1", "allowLocalInfil%65");
+    Assertions.assertThrows(
+        LinkisSecurityException.class,
+        () -> {
+          SecurityUtils.checkJdbcSecurity(paramsMap);
+        });
+
     // contains #
     paramsMap.clear();
     paramsMap.put("p1#", "v1");